[Q] Why don't we use refresh token?

[stillya]

In current implementation we refresh token if it's valid and expired, but what's point to refresh token without dividing on access and refresh tokens?
The reason of refreshing is to set access token expiration time to low and getting new with refresh token to not compromising security. But now if token will be compromised it can be refreshed(so user will always be logged in). It was done intentionally and I don't understand something or It's not implemented yet(if so I would like to contribute)?

[umputun]

My view on this - the refresh token can be compromised in the same way as the auth token. They both send the same "channel" and are stored similarly. Revoking the compromised token is not different from revoking the refresh token. With such a "blocked" token, users won't be able to stay logged in.

Unless I miss the point, it is not apparent what benefit the refresh token brings compared to the currently implemented "automatic refresh auth token" schema. The popular claim "you don't send refresh tokens that often" doesn't make much sense to me and I don't get how this is even related to a more/less secure system.

However, if you can think of any practical benefits I'm missing, pls share, and we can consider implementation.

[umputun]

moved to discussions